Data Processor Terms for Consultants

Supercell Oy

Last Updated: January 24, 2020

  1. Definitions
    In these Terms, the following terms shall have the following meanings:
    1. "controller", "processor", "data subject", "personal data" or "personal data", "processing" (and "process") and "special categories of personal data" shall have the meanings given in Applicable Data Protection Law, as defined below;
    2. "Applicable Data Protection Law" shall mean all applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which the parties are subject, including, but not be limited to, the California Consumer Privacy Act of 2018 ("CCPA") and the EU General Data Protection Regulation 2016/679 ("GDPR");
    3. "the Services", "Supercell", "the Consultant", shall have the meanings set out in the Consulting Agreement (the "Agreement") between Supercell OY and the Consultant which incorporates these Terms. If and to the extent language in these Terms conflicts with the Agreement, these Terms shall control.
  2. Relationship of the parties: Supercell (the controller) appoints the Consultant as a processor to process personal data relating to its end users, which is processed in the course of providing the services (the  "Supercell Data") for the purposes described in the Consulting Agreement (or as otherwise agreed in writing by the parties), but in any case solely for the benefit of Supercell and not the Consultant or a third party (the "Services").  Consultant will act as a "Service Provider" as the term is defined in the CCPA. Neither Consultant nor its subcontractors shall sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, Supercell Data to any third party in a way that would constitute "selling" as the term is defined by the CCPA. Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.
  3. Duration and Survival: These Terms will become legally binding upon the effective date of the Agreement or upon the date that the Parties sign these Terms, if completed after the effective date of the Agreement. Consultant will process Supercell Data until the relationship terminates as specified in the Agreement. Consultant's obligations and Supercell's rights under these Terms will continue in effect so long as Consultant processes Supercell Data.
  4. Documented Instructions: Consultant and any subcontractors shall process Supercell Data solely for the purpose of and to the extent necessary to provide the Services to Supercell in accordance with the Agreement, these Terms, and Data Protection Laws. Consultant will, unless legally prohibited from doing so, inform Supercell in writing if it reasonably believes that there is a conflict between Supercell's instructions and applicable law or otherwise seeks to process Supercell Data in a manner that is inconsistent with Supercell's instructions.
  5. International transfers:  the Consultant shall not transfer the Supercell Data (or allow the Supercell Data to be transferred) outside of the European Economic Area ("EEA") without Supercell's prior written consent, which, without prejudice to Supercell's right to refuse or prescribe any other conditions, shall be conditional upon the Consultant ensuring, and demonstrating to the reasonable satisfaction of Supercell, that the conditions under Applicable Data Protection Law are satisfied. For example, where appropriate, the Consultant may enter into standard data protection contractual clauses pursuant to Article 46(2)(c) of the GDPR, or can otherwise rely on active participation in the US-EU Privacy Shield program.  If relying on the Privacy Shield, Consultant warrants that it will maintain its Privacy Shield certification during the term of the Agreement and will process the Supercell Data in accordance with the Privacy Shield principles. Consultant will provide written notification to Supercell before it withdraws from or otherwise no longer maintains a current certification to Privacy Shield, or if it can no longer meet its obligations under this Section.
  6. Confidentiality of processing:  The Consultant shall (i) only process the Supercell Data itself, (ii) shall do so in the strictest confidence and in accordance with the confidentiality provisions in the Consulting Agreement and (iii) shall not authorise any other person to process the Supercell Data. Any person or Third Party authorized to process Supercell Data must contractually agree to maintain the confidentiality of such information or be under an appropriate statutory obligation of confidentiality.
  7. Security:  The processor shall implement appropriate technical and organisational measures to protect the Supercell Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Supercell Data (a "Security Incident"). At a minimum, such measures shall include:
    • Pseudonymisation of Supercell Data where appropriate, and encryption of Supercell Data in transit and at rest;
    • The ability to ensure the ongoing confidentiality, integrity, availability of Consultant's processing and Supercell Data;
    • The ability to restore the availability and access to Supercell Data in the event of a physical or technical incident;
    • A process for regularly evaluating and testing the effectiveness of the Consultant's Information Security Program to ensure the security of Supercell Data from reasonably suspected or actual accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. 
  8. Subcontracting:  the Consultant shall not engage any third party subprocessors to process the Supercell Data without Supercell's prior written consent, which, without prejudice to Supercell's right to refuse or prescribe any other conditions, shall be conditional upon the Consultant entering into appropriate terms including in relation to data protection matters, which are at least as restrictive as the obligations in these Terms, appropriate under Applicable Data Protection Law, and which are reasonably satisfactory to Supercell.
  9. Cooperation and data subjects' rights and Data Protection Impact Assessment:  The Consultant shall provide reasonable and timely assistance to Supercell (at Supercell's expense):
    1. to enable Supercell to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law; and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Supercell Data.   In the event that any such request, correspondence, enquiry or complaint is made directly to the Consultant, the Consultant shall promptly inform Supercell providing full details of the same; and
    2. in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.
  10. Security incidents:  If it becomes aware of a confirmed or reasonably suspected breach of security leading to the accidental or unauthorized destruction, loss, alteration, disclosure of, or access to Supercell Data (a "Security Incident"), the Consultant shall inform Supercell without undue delay (in no case longer than 48 hours) and shall provide reasonable information and cooperation to Supercell so that it can fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) Applicable Data Protection Law.  The Consultant, at its own expense, shall also take any such reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident, including (i) providing notice to public and/or regulatory authorities, individuals, or other persons, or (ii) undertaking other remedial measures (including, without limitation, notice, credit monitoring services and the establishment of a call center to respond to inquiries. Consultant shall keep Supercell informed of all material developments in connection with the Security Incident, and shall provide Supercell with drafts of notices to public and/or regulatory authorities, individuals, or other persons before providing such notices to their recipients. If Supercell chooses to carry out the remedial actions described above itself, Consultant agrees to reimburse Supercell for its reasonable costs.
  11. Deletion or return of Supercell Data:  Upon termination or expiry of the Consulting Agreement, the Consultant shall (at Supercell's election):
    1. destroy or return to Supercell all Supercell Data in its possession or control; or
    2. allow an authorised representative of Supercell to have reasonable access to the systems and storage devices used by the Consultant in providing the Services for the purpose of destroying or returning all Supercell Data in the Consultant's possession or control. 

    This requirement shall not apply to the extent that the Consultant is required by applicable law to retain some or all of the Supercell Data.

  12. Audit:  The Consultant shall also respond to any written audit questions submitted to it by Supercell and co-operate with any request to audit its practices more generally, which may include access to premises, systems or software used by the Consultant to process the Supercell Data, provided that Supercell shall use such access only for the purposes of assessing the Consultant's compliance with these Data Processor Terms when processing the Supercell Data. To the extent that a Consultant audit and/or Supercell audit identifies any material security vulnerabilities, Consultant shall remediate those vulnerabilities within fifteen (15) days of the completion of the applicable audit, unless any vulnerability by its nature cannot be remedied within such time, in which case the remediation must be completed within a mutually agreed upon time not to exceed sixty (60) days.
  13. Indemnification: Consultant agrees to indemnify, defend and hold harmless Supercell and each of its officers, directors, employees, subcontractors, representatives and agents from any and all damages, actions, third-party claims, liabilities, costs and expenses, including reasonable attorneys' fees and expenses resulting from such actions or claims, arising out of or relating to: (i) a Security Incident; (ii) Consultant's negligence or willful misconduct related to Supercell Data; and/or (iii) Consultant's breach of these Terms.